This is sort of an English version of a website related to my Czech book describing Windows kernel

Windows 7/8/8.1 MBR Examination Part 1

Master Boot Record (MBR) is usually a label for the first sector of a hard drive. The sector contains part of the operating system boot code and information about primary partitions of the hard drive. The boot code gets executed just after BIOS finishes its initialization and performs POST sequence. Main task of the boot code stored inside MBR is to transfer the control to one of the primary partitions that actually boots the operating system.

Because Master Boot Record is executed so early in the boot process, it might be interesting to look at it more closely. Some time ago, I did the analysis myself. I decided to share it on this website because it coverts the topic of my lecture at the Security Session 2014 conference.

This is the corrected version of the article presented on certain website you probably have never heard of. I also decided to move the article since that website seems to be completely dead. It is also true that there exist various analysis of Windows MBR code on the web. I just wanted to perform such thing purely on my own.

MBR Structure

Not only boot code is present within the Master Boot Record. There are also information about primary partitions, entities, that divide the whole hard drive space into several areas. Table 1 shows the structure of the MBR. The boot code occupies the first 440 bytes and is followed by a 4 byte unique disk identifier.

The unique disk identifier is used in mapping between drive letters and partitions, stored in the HKLMSYSTEMMountedDevices registry key. The key contains values named DosDevicesX: where the X represents the drive letter. Value data, if 12-byte long, contains the unique disk identifier, followed by offset to the start of the corresponding partition, in bytes. The offset is a 64-bit integer.

At 446th byte, information about the primary partitions begins. There are four entries, each may describe one primary partition. This gives maximum of four primary partitions on a single hard drive.

The last two bytes of the MBR store magic value 0xAA55. BIOS checks this value just before it transfers control to the first byte of the sector. If this signature is not present, the hard drive is treated as non-bootable, its MBR code is not executed.

Table 1: Master Boot Record structure

Offset

Length

Description

0x000

440

Boot code

0x1B8

4

Unique identifier of the hard drive

0x1BC

2

Unknown

0x1BE

16

Description of the 1st partition

0x1CE

16

Description of the 2nd partition

0x1DE

16

Description of the 3rd partition

0x1EE

16

Description of the 4th partition

0x1FE

2

Magic signature (0x55 0xAA)

Every primary partition is described by a single 16 byte record the structure of which is shown in Table 2. For the boot code, the most important fields are boot flags, CHS address and LBA address. Other structure members probably come into scene later during the boot process.

Contents of the boot flags field determines whether the corresponding primary partition is bootable. Value of zero means it is not. When only the bit 7 of the value is set, the partition is active (bootable), Master Boot Record should transfer execution to its first sector that is called a Volume Boot Record (VBR). There may be at most one primary partition marked as active at a time.

The second, third and fourth byte of the partition entry contains the number of cyllinder, head and sector, where the partition begins. The bytes form a CHS address that can be used as an input for the BIOS disk interrupt in order to read first sectors of the partition. However, it is possible to address only the first 1024 cyllinders of the disk which is really insufficient in these days when hard drives contain tens of thousands cyllinders or even more. Hence, usage of the CHS address forces the active partition to start within the first 1024 cyllinders.

Fortunately, it is possible to solve the problem by another method of sector addressing. This method is called Logical Block Addressing (LBA). The hard drive is presented as a huge flat area, divided into sectors. Every sector is uniquely identified by its distance from the beginning of the drive. Mapping between the sectors and their actual positions in cylinders and tracks of the drive is managed internally by the firmware.

LBA number (address) of the first sector of the partition is stored at offset 8 of its partition entry. This information, together with the length of the partition in sectors, stored in the last four bytes of the entry, is sufficient to determine the area occupied by the partition. Partitions are always continuous blocks of disk sectors.

Table 2: Partition entry structure

Offset

Length

Description

0x0

1

Boot flags

0x1

3

CHS address of the first sector.

The first byte:

Bits 0-7: head number

The second byte:

Bits 0-5: sector number

Bits 6-7: Bits 8-9 of the cyllinder

The third byte:

Bits 0-7: Bits 0-7 of the cyllinder

0x4

1

Partition type. Gives a hint which file system is used on the partition, or which other purpose the partition serves (i.e. the swap partition).